CN105592044A - Message attack detection method and device - Google Patents
Message attack detection method and device Download PDFInfo
- Publication number
- CN105592044A CN105592044A CN201510519724.1A CN201510519724A CN105592044A CN 105592044 A CN105592044 A CN 105592044A CN 201510519724 A CN201510519724 A CN 201510519724A CN 105592044 A CN105592044 A CN 105592044A
- Authority
- CN
- China
- Prior art keywords
- message
- serial number
- queue
- temporal
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention provides a message attack detection method and a message attack detection device. The message attack detection method comprises the steps of: receiving a message with a type identifier, and determining a time feature queue corresponding to the type identifier; extracting a behavior feature of the message, and determining a message sequence number corresponding to the behavior feature; adding the message sequence number into the time feature queue, and generating a feature sequence; matching the feature sequence in a preset time sequence feature library, and acquiring a matching result; and carrying out corresponding processing on the message according to the matching result. The message attack detection method and the message attack detection device can accurately detect the message which attacks via time dimension, and carry out corresponding avoidance processing, thereby improving security performance of a system.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of message aggression detection method and device.
Background technology
IPS (IntrusionPreventionSystem, intrusion prevention system), for by Sampling network message, sends outAbnormal, attack load in existing network message, and the fail-safe software system of processing.
When traditional IPS detects message, conventionally only carry out the feature detection of Spatial Dimension, that is, carryGet the content characteristic of message, and judge according to the content characteristic of message whether this message is attack message.
But, owing to attacking the variation of load type, attack (for example 2014 at leak at someThe high-risk leak CVE-2014-0224 of OpenSSL) in process, the content characteristic of message can't produce anyExtremely, now, if still the feature based on Spatial Dimension detect cannot find such attack load, enterAnd the security performance of reduction system.
Summary of the invention
For the defect of prior art, the invention provides a kind of message aggression detection method and device.
The invention provides a kind of message aggression detection method, be applied to intrusion prevention system IPS equipment, whereinThe method comprises:
Reception has the message of type identification, determines the temporal characteristics queue corresponding with described type identification;
Extract the behavioural characteristic of this message, determine the test serial number corresponding with described behavioural characteristic;
In described temporal characteristics queue, add described test serial number, and generating feature sequence;
Mate in default temporal aspect storehouse according to described characteristic sequence, and obtain matching result;
According to matching result, described message is carried out to respective handling.
The present invention also provides a kind of message aggression checkout gear, is applied to IPS equipment, and this device comprises:
Determining unit, for receiving the message with type identification, determines corresponding with described type identificationTemporal characteristics queue;
Extraction unit, for extracting the behavioural characteristic of this message, determines the report corresponding with described behavioural characteristicLiterary composition sequence number;
Generation unit, for adding described test serial number in described temporal characteristics queue, and generating feature orderRow;
Matching unit, for mating in default temporal aspect storehouse according to described characteristic sequence, andTo matching result;
Processing unit, for carrying out respective handling according to matching result to described message.
Message aggression detection method provided by the invention and device, in the time that the message receiving has type identification,By test serial number corresponding message behavioural characteristic being added into the temporal characteristics queue corresponding with type identificationIn, and the characteristic sequence being generated by test serial number in temporal characteristics queue is entered in default temporal aspect storehouseRow coupling, the message of whether attacking as sequential further to detect this message, and to the attack message detectingCarry out respective handling. As can be seen here, the present invention can accurately detect the message of attacking by time dimension,And correspondingly evade processing, and then improve the security performance of system.
Brief description of the drawings
Fig. 1 is a kind of message aggression detection method schematic flow sheet in the embodiment of the present invention;
Fig. 2 assists the processing procedure schematic diagram of engine for message in the embodiment of the present invention;
Fig. 3 is the logical construction schematic diagram of a kind of message aggression checkout gear in the embodiment of the present invention;
Fig. 4 is the hardware structure signal of message aggression checkout gear place IPS equipment in the embodiment of the present inventionFigure.
Detailed description of the invention
For making the application's object, technical scheme and advantage are clearer, referring to accompanying drawing to this ShenPlease scheme be described in further detail.
In order to solve problems of the prior art, the invention provides a kind of message aggression detection method withAnd device.
Please refer to Fig. 1, is the handling process schematic diagram of message aggression detection method provided by the invention, this messageAttack detection method can be applicable to IPS equipment. This message aggression detection method comprises the following steps:
Step 101, receives the message with type identification, determines the time spy corresponding with described type identificationLevy queue;
In the embodiment of the present invention, IPS equipment is receiving after message, out of order for fear of the message generation receiving,Can first carry out order-preserving processing to the message receiving, send so that the message sequence receiving is original messageSequentially. For example,, can send numbering to buffering according to the message carrying in the header information of the message receiving timeThe interior message receiving sorts, and successively message is carried out to subsequent treatment afterwards according to the order of arranging. ToolBody can be with reference to the handling process to packet order preserving in prior art for the order-preserving processing of message, and the present invention existsThis repeats no more.
Afterwards, the characteristic based on IPS can be first detection engine by IPS equipment self to carry out order-preserving placeThe message of reason carries out the attack detecting of Spatial Dimension successively. That is: obtain the content characteristic of the message of reception, andThis content characteristic is mated in default space characteristics storehouse, obtain matching result; If according to coupling knotFruit determines that this message is attack message, determines the protocol type of this message, and by with the protocol class of this messageThe type identification that type is corresponding is added in described message.
Particularly, IPS equipment is preset with space characteristics storehouse, and pre-stored in this space characteristics storehouse have based on spaceThe characteristic information of the attack message that the message aggression of dimension is summed up.
Receive after message at IPS equipment, detect engine this message is resolved, to obtain message dataThe content of part, and by detecting engine according to default rule or extracting as required this message data portionThe character string of dividing.
Afterwards, detect the content characteristic of engine using the character string of extracting as message according to default multimode matchingAlgorithm mates in default space characteristics storehouse, whether to determine this message as entering by Spatial DimensionThe message that row is attacked.
Wherein, this default multimode matching algorithm is many by the soonest, optimally finding in a character stringThe algorithm of individual pattern character word string, that is: find and this key message pair in the characteristic information in space characteristics storehouseThe algorithm of the characteristic information of multiple patterns of answering. For example, the multi-pattern matching algorithm providing in the present invention is passableAC (AHO-CORASICK) algorithm, WM (WU-MANBER) algorithm etc.
In the embodiment of the present invention, detect engine also not identical to the processing of message according to different matching results. ExampleAs:
If matching result is to match characteristic of correspondence letter in default space characteristics storehouse according to content characteristicBreath, can illustrate that this message is the attack class message of Spatial Dimension. So, according to the processing of content characteristicInformation is determined when this message is the attack class message of Spatial Dimension, can abandon this message, is attacked avoidingHit, or can also be as required to administrative staff's report and alarm information after dropping packets;
If matching result is not match characteristic of correspondence letter according to content characteristic in default space characteristics storehouseWhether breath, can determine that this message is the attack class message of non-space dimension, further detect this message to beThe message that utilizes time dimension to attack.
Suppose, the characteristic information of the attack message of summing up in default space characteristics storehouse comprises: abcd11e;Abcd12e; And abcd13e. And the character string of the message data part of extracting is abcd11e. So,Matching result is that this message matches the characteristic information in this space characteristics storehouse, determines that this message is Spatial DimensionAttack message, can be by this packet loss, or, in the time abandoning this message to administrative staff's report and alarmInformation. If the character string of message data part of extracting is dbcd11e, so, matching result be this message notWhether match the characteristic information in this space characteristics storehouse, further detecting this message is to utilize time dimensionThe message of attacking.
In the embodiment of the present invention, when the message receiving is for needing whether further detection is to utilize time dimension to attackHit message time, can determine according to the protocol number in the five-tuple information of this message the protocol class of this messageType, checks that this message is the message of which kind of agreement.
The present invention is provided with different type identifications for different protocol types in advance. The type mark canIdentifying with 32 integers, for example, can be SIP (SessionInitiationProtocol, session in advanceInitiation protocol) the corresponding type identification that arranges is 1, for SAP (SessionAnnouncementProtocol,Session announcement protocol) the corresponding type identification that arranges is 2, is SSL (SlecureSocketsLayer, peaceFull socket layer) the corresponding type identification of agreement setting is 3, is TCP (TransmissionControlProtocol, transmission control protocol) the corresponding type identification that arranges is 4 etc.
So, when message to carrying out mark adds type identification, can be according to setting in advanceThe type identification corresponding with each agreement, carries out mark to message.
In the embodiment of the present invention, can be for increasing an integer field in the control data structure of message, for needCarry out the message of mark, corresponding type identification can be added into the integer of this message control data structureIn territory, this message is carried out to the attack detecting of time dimension.
The attack that utilizes time dimension to carry out for fear of assailant, the embodiment of the present invention can also be for having inspectionSurvey the IPS equipment of engine association's engine (can using above-mentioned detection engine as leading engine) is set again, shouldAssociation's engine is for further carrying out the attack detecting of time dimension to having the message of type identification.
Fig. 2 assists engine for the processing procedure schematic diagram of message with type identification in the embodiment of the present invention,In association, engine receives after the message that detects engine transmission, first resolves this message, checks this message control numberAccording to whether thering is type identification in the integer field of structure, if having, obtain the type identification carrying in message.
Association of the present invention engine is also preset with the time spy corresponding with dissimilar mark (protocol type) differenceLevy queue, obtaining after the type identification carrying in message, it is right with it to determine according to the type markThe temporal characteristics queue of answering.
Step 102, extracts the behavioural characteristic of this message, determines the test serial number corresponding with described behavioural characteristic;
In the embodiment of the present invention, be also preset with the test serial number corresponding with message behavioural characteristic. In advance according to notThe corresponding test serial number arranging with the behavioural characteristic of the message of protocol type.
After determining the temporal characteristics queue that the type identification that carries with message is corresponding, can be to this messageCarrying out learning the type of message of message after deep analysis, is this and carry out the type of message that deep analysis obtainsThe behavioural characteristic of message.
Afterwards, in the default test serial number corresponding with behavioural characteristic, search and the behavioural characteristic pair of this messageThe test serial number of answering.
For example, the three-way handshake of TCP session comprises: SYN message, service that user end to server sendsSYNACK (confirmation of synchronization) message that device is responded to client and client are according to SYNACK messageTo ACK (confirmation) message of server response. So, can for the set test serial number of SYN messageTo be " 1 ", can be " 2 " for the set test serial number of SYNACK message, for ACK messageSet test serial number can be " 3 ".
In addition, can also set in advance a default sequence number as test serial number that can mark arbitrary act feature,Under normal circumstances, can be in the time that definite described message be data message, will preset sequence number as with data messageTest serial number corresponding to behavioural characteristic, this default sequence number can be mated arbitrary value in temporal aspect storehouse, for example shouldDefault sequence number can be 0.
Step 103 is added described test serial number in described temporal characteristics queue, and generating feature sequence;
Then, this test serial number is added into out to the temporal characteristics queue corresponding to type identification of carrying with messageIn.
The queue that this temporal characteristics queue is first in first out, and be preset with sequencable feature quantity, for example,What temporal characteristics queue was default can arrayed feature quantity be 5, receives so the 6th message in feature queueWhen sequence number, the test serial number that is arranged in the 1st will be moved out of this temporal characteristics queue.
Test serial number is being added into after this temporal characteristics queue, front-seat by working as in review time feature queueThe test serial number quantity of row, according to different characteristic sequence generating mode generating feature sequences.
When the test serial number quantity of adding in described temporal characteristics queue, to be less than described temporal characteristics queue defaultWhen feature quantity, the test serial number in default specific numbers and described temporal characteristics queue is combined,Generating test serial number quantity is the characteristic sequence of described feature quantity; Or, when in described temporal characteristics queueWhen the test serial number quantity of adding is the default feature quantity of described temporal characteristics queue, according to described time spyLevy the test serial number of arranging in queue and generate described characteristic sequence.
Particularly, still suppose temporal characteristics queue default can arrayed feature quantity be 5, by the message of messageSequence number is added into after temporal characteristics queue, can be by following two kinds of modes according to adding in temporal characteristics queueTest serial number generating feature sequence:
1, all test serial numbers of arranging in the queue of acquisition time feature, according to all test serial numbers time spyLevy the generating feature sequence that puts in order in queue.
1) when the test serial number quantity of adding in temporal characteristics queue is less than the default spy of described temporal characteristics queueFor example, feelings while levying quantity (this test serial number is any one that is arranged in the 1-4 position of temporal characteristics queue)Condition:
Suppose, the current test serial number that is added into temporal characteristics queue is 3, for first is added into temporal characteristicsThe test serial number of queue (be arranged in temporal characteristics queue first), so can be only by this test serial number 3As characteristic sequence, the characteristic sequence generating is: 3.
If the test serial number 3 that is added into temporal characteristics queue current is the 4th and is added into temporal characteristics queueTest serial number (be arranged in temporal characteristics queue the 4th), supposes to be arranged in first 3 of temporal characteristics queueTest serial number is 5,10,15 successively, and the characteristic sequence that generated is so 5,10,15,3.
2) when the test serial number quantity of adding in temporal characteristics queue is the default feature of described temporal characteristics queueQuantity (this test serial number be arranged in temporal characteristics queue in the 5th) time situation:
The test serial number of supposing to be arranged in first 3 of temporal characteristics queue is 5,10,15,20 successively, root soThe characteristic sequence generating according to the test serial number of arranging in temporal characteristics queue is 5,10,15,20,3.
2, the test serial number in default test serial number and described temporal characteristics queue is combined, generate reportLiterary composition sequence number quantity is the characteristic sequence of described feature quantity.
This characteristic sequence generating mode is only directed to and is less than when the test serial number quantity of adding in temporal characteristics queue(for example this test serial number is to be arranged in temporal characteristics queue to the default feature quantity of described temporal characteristics queueIn 1-4 position any one) time situation.
For example, test serial number that can be default is set to " X " according to prior agreement, or 32 integersIn maximum etc., the test serial number 3 that is added into temporal characteristics queue if current is that first is added into the timeThe test serial number of feature queue (be arranged in temporal characteristics queue first), so can be by default messageSequence number (taking " X " as example) combines with this test serial number 3, and generating test serial number quantity is feature quantity(5) characteristic sequence X, X, X, X, 3.
If the test serial number 3 that is added into temporal characteristics queue current is the 4th and is added into temporal characteristics queueTest serial number (be arranged in temporal characteristics queue the 4th), supposes to be arranged in first 3 of temporal characteristics queueTest serial number is 5,10,15 successively, and the characteristic sequence that generated is so X, 5,10,15,3.
Step 104, mates in default temporal aspect storehouse according to described characteristic sequence, and is matedResult;
According to after the test serial number generating feature sequence in temporal characteristics queue, can be by the feature generatingSequence is mated in default temporal aspect storehouse according to multimode matching algorithm. The multi-mode matching that this is defaultAlgorithm can be still AC algorithm or WM algorithm etc.
Wherein, same in this temporal aspect storehouse pre-storedly have message aggression based on time dimension to sum upThe characteristic information of attack message. This temporal aspect storehouse can be the normal sequential spy who preserves normal temporal aspectLevying storehouse, can be also the abnormal temporal aspect storehouse of preserving abnormal temporal aspect.
In the time that temporal aspect storehouse is normal temporal aspect storehouse, if normal what preset according to the characteristic sequence generatingTemporal aspect matches characteristic of correspondence in storehouse, so this matching result be in normal temporal aspect storehouse notMatch and characteristic sequence characteristic of correspondence, can determine that this message is that non-sequential is attacked class message, otherwise,Matching result, for not matching and characteristic sequence characteristic of correspondence in normal temporal aspect storehouse, can be determined thisMessage is that sequential is attacked class message.
Similarly, in the time that temporal aspect storehouse is abnormal temporal aspect storehouse, if according to the characteristic sequence generating in advanceIf abnormal temporal aspect storehouse in match characteristic of correspondence, this matching result is abnormal sequential spy soLevy in storehouse and do not match and characteristic sequence characteristic of correspondence, can determine that this message is that non-sequential is attacked class message,Otherwise matching result, can for not matching and characteristic sequence characteristic of correspondence in abnormal temporal aspect storehouseDetermine that this message is that non-sequential is attacked class message.
It should be noted that, if promising 0 test serial number in the characteristic sequence of generation is carrying out characteristic matchingTime, the arbitrary value of this test serial number 0 in can matching characteristic storehouse.
For instance, if the characteristic sequence generating is 5,0,15,20,3, matching in temporal aspect storehouseWhile thering is 5,8,15,20,3 characteristic information, can think that 0 in characteristic sequence matched spyIn reference breath 5,8,15,20,38, illustrates that this characteristic sequence 5,0,15,20,3 is default soTemporal aspect storehouse in matched characteristic of correspondence information.
Step 105, carries out respective handling according to matching result to described message.
Association's engine in the present invention also can be processed accordingly to different matching results. For example:
In the time of temporal aspect that the temporal aspect of preserving in temporal aspect storehouse is normal sequential, if described coupling knotFruit for to match in described temporal aspect storehouse and described characteristic sequence characteristic of correspondence, that is: is determined this messageAttack class message for non-sequential, can forward according to normal flow message; If described matching result is in instituteState in temporal aspect storehouse and do not match and described characteristic sequence characteristic of correspondence, that is: determine that this message is the timeWhen the attack class message of dimension, can abandon this message, be attacked avoiding.
In the time of temporal aspect that the temporal aspect of preserving in temporal aspect storehouse is abnormal sequential, if described coupling knotFruit for not matching and described characteristic sequence characteristic of correspondence in described temporal aspect storehouse, that is: is determined this messageAttack class message for non-sequential, can forward according to normal flow message; Otherwise abandon described message, withAvoid being attacked.
Further, be subjected to after the attack of time dimension definite, can also be according to need in the time of dropping packetsTo send warning information to administrative staff, so that administrative staff make the precautionary measures in time.
In sum, message aggression detection method provided by the invention, has type identification at the message receivingTime, by test serial number corresponding message behavioural characteristic being added into the temporal characteristics team corresponding with type identificationIn row, and by the characteristic sequence being generated by test serial number in temporal characteristics queue in default temporal aspect storehouseMate, the message of whether attacking as sequential further to detect this message, and to the attack report detectingLiterary composition carries out respective handling. As can be seen here, the present invention can accurately detect the report of attacking by time dimensionLiterary composition, and correspondingly evade processing, and then improve the security performance of system.
The present invention also provides a kind of message aggression checkout gear, and Fig. 3 is the structure of this message aggression checkout gearSchematic diagram, this device can be applied to IPS equipment, and this message aggression checkout gear can comprise determining unit301, extraction unit 302, generation unit 303, matching unit 304 and processing unit 305, wherein:
Determining unit 301, for receiving the message with type identification, determines corresponding with described type identificationTemporal characteristics queue;
Extraction unit 302, for extracting the behavioural characteristic of this message, determines corresponding with described behavioural characteristicTest serial number;
Generation unit 303, for adding described test serial number in described temporal characteristics queue, and generating featureSequence;
Matching unit 304, for mating in default temporal aspect storehouse according to described characteristic sequence, andObtain matching result;
Processing unit 305, for carrying out respective handling according to matching result to described message.
Further, said apparatus can also comprise acquiring unit 306 and identify unit 307, wherein obtainsUnit 306 is for obtaining the content characteristic of described message, and by described content characteristic at default space characteristicsIn storehouse, mate, obtain matching result; Identify unit 307 is for determining institute according to described matching resultWhen stating message and being the attack message of Spatial Dimension, abandon the attack message of described Spatial Dimension; Described in basisMatching result is determined when described message is the attack message of non-space dimension, determines the protocol class of described messageType, and the type identification corresponding with the protocol type of described message is added in described message.
Further, above-mentioned generation unit 303 specifically can be for when adding in described temporal characteristics queueWhen test serial number quantity is less than the default feature quantity of described temporal characteristics queue, by default specific numbers withTest serial number in described temporal characteristics queue combines, and generating test serial number quantity is described feature quantityCharacteristic sequence; Or, when the test serial number quantity of adding in described temporal characteristics queue is described time spyWhile levying the default feature quantity of queue, described in generating according to the test serial number of arranging in described temporal characteristics queueCharacteristic sequence.
Further, above-mentioned processing unit 305 can also be used for the sequential of preserving when described temporal aspect storehouseWhile being characterized as the temporal aspect of normal sequential, if described matching result is to have with described in described temporal aspect storehouseThe feature of characteristic sequence coupling, forwards described message, otherwise abandons described message; Or, work as instituteWhen temporal aspect that to state the temporal aspect preserved in temporal aspect storehouse be abnormal sequential, if described matching result isThe feature of not mating with described characteristic sequence in described temporal aspect storehouse, forwards described message, noAbandon described message.
Further, said extracted unit 302 specifically can be in the time that definite described message be data message,Using default sequence number as the test serial number corresponding with the behavioural characteristic of described message, wherein, described default sequence numberCan mate arbitrary value in described temporal aspect storehouse.
The message aggression checkout gear that the present invention is applied to IPS equipment can be with in concrete handling processThe handling process of above-mentioned message aggression detection method is consistent, does not repeat them here.
Said apparatus can be realized by software, also can realize by hardware, and message aggression of the present invention detectsThe hardware structure schematic diagram of the device place network equipment all can be with reference to shown in figure 4, and its basic hardware environment comprisesCentral processor CPU, forwarding chip, memory and other hardware, wherein memory device comprises machineInstructions, CPU reads and carries out the function of each unit in machine readable instructions execution graph 3.
From the embodiment of above the whole bag of tricks and device, can find out the message that the embodiment of the present invention providesAttack detection method and device, at the message receiving while having type identification, by by message behavioural characteristicCorresponding test serial number is added in the temporal characteristics queue corresponding with type identification, and by temporal characteristics queueIn the characteristic sequence that generated by test serial number in default temporal aspect storehouse, mate, further to detectWhether this message is the message that sequential is attacked, and the attack message detecting is carried out to respective handling. Thus canSee, the present invention can accurately detect the message of attacking by time dimension, and correspondingly evades placeReason, and then the security performance of raising system.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all at thisWithin the spirit and principle of invention, any amendment of making, be equal to replacement, improvement etc., all should be included inWithin the scope of protection of the invention.
Claims (10)
1. a message aggression detection method, is applied to intrusion prevention system IPS equipment, it is characterized in that instituteThe method of stating comprises:
Reception has the message of type identification, determines the temporal characteristics queue corresponding with described type identification;
Extract the behavioural characteristic of this message, determine the test serial number corresponding with described behavioural characteristic;
In described temporal characteristics queue, add described test serial number, and generating feature sequence;
Mate in default temporal aspect storehouse according to described characteristic sequence, and obtain matching result;
According to matching result, described message is carried out to respective handling.
2. the method for claim 1, is characterized in that, there is the message of type identification in reception before,Described method also comprises:
Obtain the content characteristic of described message, and described content characteristic is carried out in default space characteristics storehouseCoupling, obtains matching result;
If determine that according to described matching result described message is the attack message of Spatial Dimension, abandons described spaceThe attack message of dimension;
If determine that according to described matching result described message is the attack message of non-space dimension, described in determiningThe protocol type of message, and the type identification corresponding with the protocol type of described message is added into described messageIn.
3. the method for claim 1, is characterized in that, describedly in described temporal characteristics queue, addsDescribed test serial number, and generating feature sequence specifically comprises:
When the test serial number quantity of adding in described temporal characteristics queue, to be less than described temporal characteristics queue defaultWhen feature quantity, the test serial number in default specific numbers and described temporal characteristics queue is combined,Generating test serial number quantity is the characteristic sequence of described feature quantity; Or,
When the test serial number quantity of adding in described temporal characteristics queue is the default spy of described temporal characteristics queueWhile levying quantity, generate described characteristic sequence according to the test serial number of arranging in described temporal characteristics queue.
4. the method for claim 1, is characterized in that, described according to matching result to described messageCarrying out respective handling specifically comprises:
In the time of temporal aspect that the temporal aspect of preserving in described temporal aspect storehouse is normal sequential, if describedJoining result is to have the feature of mating with described characteristic sequence in described temporal aspect storehouse, and described message is turnedSend out, otherwise abandon described message; Or,
In the time of temporal aspect that the temporal aspect of preserving in described temporal aspect storehouse is abnormal sequential, if describedJoining result is the feature of not mating with described characteristic sequence in described temporal aspect storehouse, and described message is carried outForward, otherwise abandon described message.
5. the method for claim 1, is characterized in that, the behavioural characteristic of described this message of extraction, reallyMaking the test serial number corresponding with described behavioural characteristic specifically comprises:
If determine, described message is data message, using default sequence number as corresponding with the behavioural characteristic of described messageTest serial number, wherein, described default sequence number can be mated arbitrary value in described temporal aspect storehouse.
6. a message aggression checkout gear, is applied to IPS equipment, it is characterized in that, described device comprises:
Determining unit, for receiving the message with type identification, determines corresponding with described type identificationTemporal characteristics queue;
Extraction unit, for extracting the behavioural characteristic of this message, determines the report corresponding with described behavioural characteristicLiterary composition sequence number;
Generation unit, for adding described test serial number in described temporal characteristics queue, and generating feature orderRow;
Matching unit, for mating in default temporal aspect storehouse according to described characteristic sequence, andTo matching result;
Processing unit, for carrying out respective handling according to matching result to described message.
7. device as claimed in claim 6, is characterized in that, described device also comprises:
Acquiring unit, for obtaining the content characteristic of described message, and by described content characteristic at default skyBetween mate in feature database, obtain matching result;
Identify unit, for determining that according to described matching result described message is the attack message of Spatial DimensionTime, abandon the attack message of described Spatial Dimension; Determining that according to described matching result described message is non-NULLBetween when the attack message of dimension, determine the protocol type of described message, and by with the protocol class of described messageThe type identification that type is corresponding is added in described message.
8. device as claimed in claim 6, is characterized in that, described generation unit specifically for:
When the test serial number quantity of adding in described temporal characteristics queue, to be less than described temporal characteristics queue defaultWhen feature quantity, the test serial number in default specific numbers and described temporal characteristics queue is combined,Generating test serial number quantity is the characteristic sequence of described feature quantity; Or,
When the test serial number quantity of adding in described temporal characteristics queue is the default spy of described temporal characteristics queueWhile levying quantity, generate described characteristic sequence according to the test serial number of arranging in described temporal characteristics queue.
9. device as claimed in claim 6, is characterized in that, described processing unit specifically for:
In the time of temporal aspect that the temporal aspect of preserving in described temporal aspect storehouse is normal sequential, if describedJoining result is to have the feature of mating with described characteristic sequence in described temporal aspect storehouse, and described message is turnedSend out, otherwise abandon described message; Or,
In the time of temporal aspect that the temporal aspect of preserving in described temporal aspect storehouse is abnormal sequential, if describedJoining result is the feature of not mating with described characteristic sequence in described temporal aspect storehouse, and described message is carried outForward, otherwise abandon described message.
10. device as claimed in claim 6, is characterized in that, described extraction unit specifically for:
If determine, described message is data message, using default sequence number as corresponding with the behavioural characteristic of described messageTest serial number, wherein, described default sequence number can be mated arbitrary value in described temporal aspect storehouse.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510519724.1A CN105592044B (en) | 2015-08-21 | 2015-08-21 | Message aggression detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510519724.1A CN105592044B (en) | 2015-08-21 | 2015-08-21 | Message aggression detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105592044A true CN105592044A (en) | 2016-05-18 |
| CN105592044B CN105592044B (en) | 2019-05-07 |
Family
ID=55931261
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510519724.1A Active CN105592044B (en) | 2015-08-21 | 2015-08-21 | Message aggression detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105592044B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911724A (en) * | 2017-04-27 | 2017-06-30 | 杭州迪普科技股份有限公司 | A kind of message processing method and device |
| CN106961393A (en) * | 2017-03-06 | 2017-07-18 | 北京安博通科技股份有限公司 | The detection method and device of UDP messages in BlueDrama |
| CN107426285A (en) * | 2017-05-19 | 2017-12-01 | 北京软安科技有限公司 | A kind of vehicle-mounted CAN bus safety means of defence and device |
| CN107888540A (en) * | 2016-09-29 | 2018-04-06 | 华为技术有限公司 | A kind of network anti-attack method and the network equipment |
| CN109246027A (en) * | 2018-09-19 | 2019-01-18 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus and terminal device of network operation |
| CN111490992A (en) * | 2020-04-11 | 2020-08-04 | 吴媛媛 | Intrusion detection method and device based on data flow detection and time sequence feature extraction |
| CN112351002A (en) * | 2020-10-21 | 2021-02-09 | 新华三信息安全技术有限公司 | Message detection method, device and equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7181768B1 (en) * | 1999-10-28 | 2007-02-20 | Cigital | Computer intrusion detection system and method based on application monitoring |
| CN101034974A (en) * | 2007-03-29 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
| CN101388885A (en) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Detection method and system for distributed denial of service |
| CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
| CN101572691A (en) * | 2008-04-30 | 2009-11-04 | 华为技术有限公司 | Method, system and device for intrusion detection |
-
2015
- 2015-08-21 CN CN201510519724.1A patent/CN105592044B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7181768B1 (en) * | 1999-10-28 | 2007-02-20 | Cigital | Computer intrusion detection system and method based on application monitoring |
| CN101034974A (en) * | 2007-03-29 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
| CN101572691A (en) * | 2008-04-30 | 2009-11-04 | 华为技术有限公司 | Method, system and device for intrusion detection |
| CN101388885A (en) * | 2008-07-23 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Detection method and system for distributed denial of service |
| CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888540A (en) * | 2016-09-29 | 2018-04-06 | 华为技术有限公司 | A kind of network anti-attack method and the network equipment |
| CN107888540B (en) * | 2016-09-29 | 2020-12-25 | 华为技术有限公司 | Network anti-attack method and network equipment |
| CN106961393A (en) * | 2017-03-06 | 2017-07-18 | 北京安博通科技股份有限公司 | The detection method and device of UDP messages in BlueDrama |
| CN106961393B (en) * | 2017-03-06 | 2020-11-27 | 北京安博通科技股份有限公司 | Detection method and device for UDP (user Datagram protocol) message in network session |
| CN106911724A (en) * | 2017-04-27 | 2017-06-30 | 杭州迪普科技股份有限公司 | A kind of message processing method and device |
| CN106911724B (en) * | 2017-04-27 | 2020-03-06 | 杭州迪普科技股份有限公司 | Message processing method and device |
| CN107426285A (en) * | 2017-05-19 | 2017-12-01 | 北京软安科技有限公司 | A kind of vehicle-mounted CAN bus safety means of defence and device |
| CN109246027A (en) * | 2018-09-19 | 2019-01-18 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus and terminal device of network operation |
| CN111490992A (en) * | 2020-04-11 | 2020-08-04 | 吴媛媛 | Intrusion detection method and device based on data flow detection and time sequence feature extraction |
| CN111490992B (en) * | 2020-04-11 | 2021-01-22 | 江苏政采数据科技有限公司 | Intrusion detection method and device based on data flow detection and time sequence feature extraction |
| CN112351002A (en) * | 2020-10-21 | 2021-02-09 | 新华三信息安全技术有限公司 | Message detection method, device and equipment |
| CN112351002B (en) * | 2020-10-21 | 2022-04-26 | 新华三信息安全技术有限公司 | Message detection method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105592044B (en) | 2019-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105592044A (en) | Message attack detection method and device | |
| CN113556354B (en) | Industrial Internet security threat detection method and system based on flow analysis | |
| US20190182284A1 (en) | Blockchain-based security threat detection method and system | |
| CN111555988B (en) | Network asset mapping discovery method and device based on big data | |
| US9246930B2 (en) | System and method for pattern matching in a network security device | |
| CN101296227B (en) | IPSec VPN protocol depth detection method based on packet offset matching | |
| CN107979581B (en) | Detection method and device for zombie characteristics | |
| EP3185164A2 (en) | System and method for detecting malicious code using visualization | |
| WO2015141640A1 (en) | Extraction condition determination method, communication monitoring system, extraction condition determination device, and extraction condition determination program | |
| CN101009706B (en) | Method for protecting application based on sip | |
| JP6174520B2 (en) | Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program | |
| CN109951419A (en) | A kind of APT intrusion detection method based on attack chain attack rule digging | |
| US10819717B2 (en) | Malware infected terminal detecting apparatus, malware infected terminal detecting method, and malware infected terminal detecting program | |
| CN111049784B (en) | Network attack detection method, device, equipment and storage medium | |
| US10348751B2 (en) | Device, system and method for extraction of malicious communication pattern to detect traffic caused by malware using traffic logs | |
| Choi et al. | Automated classifier generation for application-level mobile traffic identification | |
| CN104009986A (en) | Network attack springboard detection method and device based on host | |
| US10681075B2 (en) | Detection of SSL / TLS malware beacons | |
| CN104378327B (en) | Network attack protection method, apparatus and system | |
| US20150222648A1 (en) | Apparatus for analyzing the attack feature dna and method thereof | |
| CN111031068B (en) | DNS analysis method based on complex network | |
| Yin et al. | Optimal remote access Trojans detection based on network behavior. | |
| US9049170B2 (en) | Building filter through utilization of automated generation of regular expression | |
| Feizi et al. | Detecting botnet using traffic behaviour analysis and extraction of effective flow features | |
| CN114760216B (en) | Method and device for determining scanning detection event and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |